[c-nsp] 'privilege level' syntax
Dennis Peng
dpeng at cisco.com
Fri Sep 23 12:51:43 EDT 2005
Peter Hicks [peter.hicks at poggs.co.uk] wrote:
> All,
>
> I'm attempting to give a couple of our site staff access to configure VLAN
> assignments on some switches.
>
> Using RADIUS, they are assigned privilege level 10 and the following has
> been used to move commands down to level 10:
>
> privilege interface level 10 switchport
> privilege interface level 10 switchport access
> privilege interface level 10 switchport access vlan
> privilege interface level 10 shutdown
> privilege interface level 10 no shutdown
> privilege interface level 10 description
> privilege configure level 10 interface
> privilege exec level 10 configure terminal
> privilege exec level 10 write memory
> privilege exec level 10 show running-config
>
> All the servers are on GigabitEthernet3/x, and I'd like to limit access
> further to only ports starting GigabitEthernet3/x (i.e. not anything on
> blade 2, and none of the VLAN interfaces).
The privilege command does not allow such fine granularity, so it
would not be possible to implement such a policy.
Dennis
> TACACS+ would do this easily, but we're already using RADIUS, so that's a
> non-starter.
>
> Anyone able to help?
>
>
> Peter.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list